Web Application Security
File Upload with changed extension Dec 02 2014 06:44PM
Jyotiranjan Acharya (jyotiranjan121 gmail com) (2 replies)
Re: File Upload with changed extension Dec 04 2014 01:25AM
Michal Zalewski (lcamtuf coredump cx) (1 replies)
I can't say I'm convinced about other attacks discussed in this
thread, but if you have a web server that allows arbitrary file
uploads and then serves them back from a sensitive origin without
taking *a lot* of additional precautions (the list of which is long
and ever-changing), then you probably have a problem.

For one, you can load the content via <embed> / <object> on evil.com,
and have it interpreted as Flash, Silverlight, Java, or something of
that sort - with permissions derived from the hosting origin and with
no regard for file extensions or Content-Type. So, you get a form of
XSS.

The safest / simples approach to user-supplied non-HTML documents is
to serve them in a separate domain, away from any sensitive UIs, etc.

On Tue, Dec 2, 2014 at 10:44 AM, Jyotiranjan Acharya
<jyotiranjan121 (at) gmail (dot) com [email concealed]> wrote:
> If you are able to upload a file with a changed extension, then will
> that be a problem?
> For example, you can not ,in any way, upload a .exe or .php/.jsp/.asp
> file directly into a web App, but you can by changing their extension
> to .JPG. What is the risk in such a case?
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]
Re: File Upload with changed extension Dec 04 2014 12:26PM
Robin Wood (robin digi ninja)
Re: File Upload with changed extension Dec 03 2014 01:42AM
Guillermo Caminer (flaco webappsec gmail com) (1 replies)
Re: File Upload with changed extension Dec 03 2014 09:44AM
Tobias Wassermann (mail tobias-wassermann de) (1 replies)
Re: File Upload with changed extension Dec 03 2014 03:29PM
Seth Art (sethsec gmail com) (1 replies)
Re: File Upload with changed extension Dec 04 2014 12:21AM
Paul Burbage (paul k burbage gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus